I think it would be good to tackle this issue in manageable chunks so we can start making progress on it. There are real privacy issues that are addressed by encrypting the apt traffic, whether it be HTTPS or even better, Tor Hidden Services. For more discussion on that topic, see:
https://lists.debian.org/debian-security/2014/07/msg00002.html There are many little things that we can do to improve the situation while we work on the harder questions here. For example: * there are already a bunch of debian mirrors that support HTTPS with a CA-signed certificate. We can get approval from those running those mirrors, and include them on the main list of mirrors. That is easy. * apt-transport-https can be included by default in Debian More on that topic here: https://lists.debian.org/debian-security/2014/07/msg00022.html .hc
signature.asc
Description: OpenPGP digital signature
